Sorry it wasn't McAfee who deleted it but myself as instructed by my manager unfortunately.

We are a partner, seems we have to keep good PR

Well it's OK even if the partner in the name of the customer bashes Mcafee or the people who want to earn points here. That's what customers pay us for. And if you believe in the products which we personal do this only harms the business. 

Security business if full of sales blenders these days who say their products works better than other and at theb end you end up with False/Positive the full day.

0DAY HIPS and IPS rules make no sense if somebody has to atcivate them in MONITOR mode and then SHARP (Block). That is related to all Brand (Palo Alto/Traps, Symantec, Trend, Kaspersky and Microsoft).

There is so much bull**bleep** sales going on and at the end you have so much false/Positives.

I think Mcafee runs good here overall products. What they don't run good is false positive even on their own products (Framework/TIE/VSE DLL etc.).

RISK

That means nothing else then Mcafee pushes the RISK to it's partner who have to enbale the rules.

By enable they mean you enable you the rule at 01:00 in the night or at weekend. Simply NO endcustomer understands that.

The latest bigger ransomware case in germany was because a IPS filter was not enbaled and MONITOR only. T-Systems did an analyse of that and said it's because they used Mcafee (Just so they can sell something else). It was not Mcafee it was the NEW IPS filter not active in time.

By the way Fortigate Fortiguard ships new IPS filters DE-Actuvated (Monitor) for one week and then enables them after 1 week.

They all test on the customer.

Now this is related to custom branch or regional software. But Microsoft Exchnage 2016 is a well known product and they can test it in the labs. The effect for that Rule only PULLS if a Admin Migrates a Mailboxen from and old to a new server. (Kind of special again...)

I fully agree with you, my boss also but politics seems to come first.

"Security business if full of sales blenders these days who say their products works better than other and at theb end you end up with False/Positive the full day."

"There is so much bull**bleep** sales going on and at the end you have so much false/Positives."

This is everyday's story and certainly many customers don't understand it.

In my case I made and exclusion for a particular application and convinced the customer it was good thing adding new signatures. The following day was calling back as a different application was being blocked. Made another exclusion for a whole folder this time. 

The third time they called in I just disabled the signature directly. Examples:

NT AUTHORITY\SYSTEM ran WS_TOMCATSERVICE.EXE, which tried to access C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\98A6697BC4B4458E66AF5297AE763307_CA65D527-D32E-40CA-A72B-7126AAEBF731, violating the rule "Malware Behavior : Windows EFS abuse", and was blocked. For information about how to respond to this event, see KB85494.

NT AUTHORITY\SYSTEM ran WS_TUNNELSERVICE.EXE, which tried to access C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0A654418AC9C341628897393C1A383A8_CA65D527-D32E-40CA-A72B-7126AAEBF731, violating the rule "Malware Behavior : Windows EFS abuse", and was blocked. For information about how to respond to this event, see KB85494.

I will open an account here with my private email address.